{{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled -}}
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: spire-server
  namespace: {{ .Values.authentication.mutual.spire.install.namespace }}
  {{- if or .Values.authentication.mutual.spire.install.server.annotations .Values.authentication.mutual.spire.annotations }}
  annotations:
    {{- with .Values.authentication.mutual.spire.annotations }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
    {{- with .Values.authentication.mutual.spire.install.server.annotations }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- end }}
  labels:
    app: spire-server
  {{- with .Values.authentication.mutual.spire.install.server.labels }}
    {{- toYaml . | nindent 4 }}
  {{- end }}
spec:
  replicas: 1
  selector:
    matchLabels:
      app: spire-server
  serviceName: spire-server
  template:
    metadata:
      labels:
        app: spire-server
        {{- with .Values.authentication.mutual.spire.install.server.labels }}
          {{- toYaml . | nindent 8 }}
        {{- end }}
    spec:
      serviceAccountName: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }}
      shareProcessNamespace: true
      {{- with .Values.authentication.mutual.spire.install.server.podSecurityContext }}
      securityContext:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- if gt (len .Values.authentication.mutual.spire.install.server.initContainers) 0 }}
      initContainers:
        {{- toYaml .Values.authentication.mutual.spire.install.server.initContainers | nindent 8 }}
      {{- end }}
      containers:
      - name: cilium-init
        image: {{ include "cilium.image" .Values.authentication.mutual.spire.install.initImage | quote }}
        imagePullPolicy: {{ .Values.authentication.mutual.spire.install.initImage.pullPolicy }}
        command:
          - /bin/sh
          - -c
          - |
            {{- tpl (.Files.Get "files/spire/init.bash") . | nindent 12 }}
      - name: spire-server
        {{- if eq (typeOf .Values.authentication.mutual.spire.install.server.image) "string" }}
        image: {{ .Values.authentication.mutual.spire.install.server.image }}
        {{- else }}
        image: {{ include "cilium.image" .Values.authentication.mutual.spire.install.server.image | quote }}
        imagePullPolicy: {{ .Values.authentication.mutual.spire.install.server.image.pullPolicy }}
        {{- end }}
        args:
        - -config
        - /run/spire/config/server.conf
        ports:
        - name: grpc
          containerPort: 8081
        volumeMounts:
        - name: spire-config
          mountPath: /run/spire/config
          readOnly: true
        {{- if .Values.authentication.mutual.spire.install.server.dataStorage.enabled }}
        - name: spire-data
          mountPath: /run/spire/data
          readOnly: false
        {{- end }}
        - name: spire-server-socket
          mountPath: /tmp/spire-server/private
          readOnly: false
        livenessProbe:
          httpGet:
            path: /live
            port: 8080
          failureThreshold: 2
          initialDelaySeconds: 15
          periodSeconds: 60
          timeoutSeconds: 3
        readinessProbe:
          httpGet:
            path: /ready
            port: 8080
          initialDelaySeconds: 5
          periodSeconds: 5
        {{- with .Values.authentication.mutual.spire.install.server.securityContext }}
        securityContext:
          {{- toYaml . | nindent 10 }}
        {{- end }}
      {{- with .Values.authentication.mutual.spire.install.server.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.authentication.mutual.spire.install.server.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.authentication.mutual.spire.install.server.tolerations }}
      tolerations:
        {{- toYaml . | trim | nindent 8 }}
      {{- end }}
      volumes:
      - name: spire-config
        configMap:
          name: spire-server
      - name: spire-server-socket
        hostPath:
          path: /var/run/spire-server/sockets
          type: DirectoryOrCreate
  {{- if .Values.authentication.mutual.spire.install.server.dataStorage.enabled }}
  volumeClaimTemplates:
  - metadata:
      name: spire-data
    spec:
      accessModes:
      - {{ .Values.authentication.mutual.spire.install.server.dataStorage.accessMode | default "ReadWriteOnce" }}
      resources:
        requests:
          storage: {{ .Values.authentication.mutual.spire.install.server.dataStorage.size }}
      storageClassName: {{ .Values.authentication.mutual.spire.install.server.dataStorage.storageClass }}
  {{- end }}
{{- end }}
